Access published services through backends
This guide describes how to configure a global external Application Load Balancer with a Private Service Connect backend to access a service that is published by using Private Service Connect.
For more information, see About Private Service Connect backends.
Roles
The Compute Load Balancer Admin
role
(roles/compute.loadBalancerAdmin
) contains the permission required to perform
the tasks described in this guide.
Before you begin
If you want to publish your own service, see Publish services by using Private Service Connect.
If you're connecting a service that is published by a third party, ask the service producer for the following information:
The URI of the service attachment for the service that you want to connect to. The service attachment has this format:
projects/SERVICE_PROJECT/regions/REGION/serviceAttachments/SERVICE_NAME
Any requirements for what DNS names you use to send requests to. You might need to use specific DNS names in your URL map configuration or DNS configuration.
Create a network endpoint group
Create a Private Service Connect NEG that points to the service attachment for the published service that you want to access. If the published service is deployed across multiple different regions, create one NEG per service attachment.
Each Private Service Connect NEG consumes a /32
IP address so
that the load balancer can communicate with it.
Console
In the Google Cloud console, go to the Network endpoint groups page.
Click Create network endpoint group.
Enter a Name for the network endpoint group.
For the Network endpoint group type, select Network endpoint group (Private Service Connect).
Select the target type Published service.
For Target service, enter the URI of the service attachment.
Select the Network and Subnet to create the network endpoint group in.
The subnet must be in the same region as the published service.
Click Create.
gcloud
gcloud compute network-endpoint-groups create NEG_NAME \ --network-endpoint-type=private-service-connect \ --psc-target-service=TARGET_SERVICE \ --region=REGION \ --network=NETWORK \ --subnet=SUBNET
Replace the following:
NEG_NAME
: a name for the network endpoint group.TARGET_SERVICE
: the service attachment that you want to connect to.REGION
: the region to create the network endpoint group in. The region must be the same region as the target service.NETWORK
: the network to create the network endpoint group in. If omitted, the default network is used.SUBNET
: the subnet to create the network endpoint group in. The subnet must be in the same region as the target service. A subnet must be provided if you provide the network. If both network and subnet are omitted, the default network is used, and the default subnet in the specifiedREGION
is used.
Reserve an external IP address for the load balancer
To reserve an external IP address for the load balancer, follow these steps.
Console
In the Google Cloud console, go to the IP addresses page.
To reserve an IPv4 address, click Reserve static address.
Assign a Name for the IP address resource.
Set the Network tier to Premium.
Set the IP version to IPv4.
Set the Type to Global.
Click Reserve.
gcloud
Reserve a global external IPv4 address for the load balancer.
gcloud compute addresses create ADDRESS_NAME \ --ip-version=IPV4 --global
Replace
ADDRESS_NAME
with a name for the IP address resource.Run this command to view the reserved IP address:
gcloud compute addresses describe ADDRESS_NAME \ --format="get(address)" --global
Create an SSL certificate resource
To create an HTTPS load balancer, you must add an SSL certificate resource to the load balancer's front end. Create an SSL certificate resource by using either a Google-managed SSL certificate or a self-managed SSL certificate.
Google-managed certificates. We recommend that you use Google-managed certificates because Google Cloud obtains, manages, and renews these certificates automatically. To create a Google-managed certificate, you must have a domain and the DNS records for that domain to provision the certificate. If you don't already have a domain, you can get one from Google Domains; for more information, see Get started with Google Domains. Additionally, you need to update the domain's DNS A record to point to the load balancer's IP address created in the previous step; for detailed instructions, see Use Google-managed certificates.
Self-managed certificates. Self-managed SSL certificates are certificates that you obtain, provision, and renew yourself. Self-managed certificates can be signed by a certificate authority or can be self-signed. If they are signed by a certificate authority, you must have a domain. If you don't already have a domain, you can get one from Google Domains; for more information, see Get started with Google Domains. Additionally, you need to update the domain's DNS A record to point to the load balancer's IP address created in the previous step; for detailed instructions, see Use self-managed SSL certificates.
If you do not want to set up a domain at this time, you can use a self-signed SSL certificate for testing.
These instructions assume that you have already created an SSL certificate resource.
Configure the load balancer
Configure a global external Application Load Balancer with advanced
traffic management capabilities (load balancing scheme set to
EXTERNAL_MANAGED
) to connect to a managed service.
If you are connecting to a published service that is deployed across multiple regions, and you have created multiple Private Service Connect NEGs to connect to each service attachment, you can add all of the NEGs to the backend service.
Although the Private Service Connect NEG is regional, all other load balancing components in this configuration are global.
Console
Start your configuration
In the Google Cloud console, go to the Load balancing page.
- Click Create load balancer.
- For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
- For Public facing or internal, select Public facing (external) and click Next.
- For Global or single region deployment, select Best for global workloads and click Next.
- For Load balancer generation, select Global external Application Load Balancer and click Next.
- Click Configure.
Basic configuration
- Enter a Load balancer name.
- Keep the window open to continue.
Frontend configuration
- Click Frontend configuration.
- Click Add frontend IP and port.
- Enter a Name for the load balancer.
- In the Protocol field, select HTTPS (includes HTTP/2).
- Ensure that the Port is set to
443
to allow HTTPS traffic. For IP address, select the IP address that you reserved.
Click the Certificate list and select the certificate that you have created.
Click OK.
Click Done.
Backend configuration
The Private Service Connect network endpoint group is a type of load balancer backend. Add all Private Service Connect NEGs for the same managed service to the backend service.
- Click Backend configuration.
- Click the Backend services & backend buckets list, and then click Create a backend service.
- Enter a Name for the backend service.
- Set the Backend type to Private Service Connect network endpoint group.
- In the Backends section, click the Private Service Connect network endpoint group list, and select the Private Service Connect NEG that you created. Click Done.
If you created more than one Private Service Connect NEG, click Add backend to select another NEG.
Repeat this step until all NEGs for this managed service are added to the backend service.
Click Create.
Routing rules
Because this configuration contains only one backend service, the default routing rule is sufficient and you do not need to make any changes in this section.
Review and finalize
- To review the configuration, click Review and finalize.
- Click Create.
gcloud
Create a backend service for the managed service that you want to connect to.
gcloud compute backend-services create BACKEND_SERVICE_NAME \ --load-balancing-scheme=EXTERNAL_MANAGED \ --protocol=HTTPS \ --global
Replace
BACKEND_SERVICE_NAME
with the name of the backend service.Add the Private Service Connect NEG that points to the target service.
If you have created multiple NEGs in different regions for the same service, repeat this step to add all of the NEGs to the backend service.
gcloud compute backend-services add-backend BACKEND_SERVICE_NAME \ --network-endpoint-group=NEG_NAME \ --network-endpoint-group-region=REGION \ --global
Replace the following:
BACKEND_SERVICE_NAME
: the name of the backend service.NEG_NAME
: the name of the network endpoint group.REGION
: the region of the network endpoint group.
Create a URL map for the load balancer.
A URL map must reference a default backend service. Configure the backend service that you have created as the default backend service.
gcloud compute url-maps create URL_MAP_NAME \ --default-service=BACKEND_SERVICE_NAME \ --global
Replace the following:
URL_MAP_NAME
: a name for the URL map.BACKEND_SERVICE_NAME
: the name of the load balancer's default backend service. The default is used when no host rule matches the requested hostname.
Create the target HTTPS proxy.
Use the SSL certificate resource that you created to create a target HTTPS proxy.
gcloud compute target-https-proxies create PROXY_NAME \ --url-map=URL_MAP_NAME \ --ssl-certificates=CERTIFICATE
Replace the following:
PROXY_NAME
: a name for the target HTTPS proxy.URL_MAP_NAME
: the name of the URL map.CERTIFICATE
: the name of the certificate resource.
Create the forwarding rule.
gcloud compute forwarding-rules create FWD_RULE \ --load-balancing-scheme=EXTERNAL_MANAGED \ --network-tier=PREMIUM \ --address=ADDRESS_NAME \ --target-https-proxy=PROXY_NAME \ --ports=443 \ --global
Replace the following:
FWD_RULE
: a name for the forwarding rule.ADDRESS_NAME
: the IP address resource that you reserved to use for the forwarding rule.PROXY_NAME
: the name of the target HTTPS proxy.
Configure DNS records
If you want to access your Private Service Connect backend by using a DNS name, create DNS names for each external forwarding rule. The DNS record must correspond to a name in the URL map. Unless your URL map rewrites the names, the DNS record must also correspond to the names that the producer service expects.
If you're using Cloud DNS to manage DNS, see adding a DNS record.
Verify the configuration
Create the VM instance.
gcloud compute instances create VM_NAME \ --network=NETWORK \ --image-project=debian-cloud --image-family=debian-11 \ --zone=ZONE
Replace the following:
VM_NAME
: a name for the virtual machine.NETWORK
: the network for the VM.ZONE
: the zone for the VM.
Connect to the VM.
gcloud compute ssh VM_NAME --zone=ZONE
Use
curl
to verify the configuration. This command sets theHost
header and bypasses DNS resolution by specifying a user-defined IP address. You can omit the port if you are using the default port for the protocol, for example, using port 443 for HTTPS.You can skip certificate validation using the
-k
flag. You might need to skip validation if you used a self-signed certificate to configure the target HTTPS proxy, or if the VM does not have the certificate of the certificate authority that signed your certificate.curl [-k] -s 'https://HOST:443/RESOURCE_URI' \ -H 'Host: HOST' \ --connect-to HOST:443:FWD_RULE_IP_ADDRESS:443
Replace the following:
HOST
: the hostname that is configured in the URL map.RESOURCE_URI
: the rest of the URI of the resource that you want to use for verification.FWD_RULE_IP_ADDRESS
: the IP address assigned to the forwarding rule.
Troubleshooting
Backend creation succeeds, but connectivity is not established
If you successfully create a backend for published services but connectivity is not established, check the backend's connection status. The connection status might indicate steps that you can take to resolve the issue.